Since 2014, millions of taxpayers used the IRS’ online “Get Transcript” service to get transcripts of their tax records. Unfortunately for them, so did identity thieves, according to a federal government watchdog.
Between January 1, 2014 and May 21, 2015, the personal tax accounts of more than 350,000 taxpayers “were successfully accessed by unauthorized individuals,” through the Get Transcript service, according to an audit report from the Treasury Inspector General (IG) for Tax Administration.
But that was just a hint at the actual depth of the security breach which the inspector general found has now placed nearly 621,000 taxpayers “at heightened risk of future identity theft.” In all, the IG’s investigators found that the accounts of nearly a million taxpayers had experienced “suspicious access attempts.” In just its first six months online, the Get Transcript provided more than 23 million records.
Worse yet, since those tax records included information about the taxpayers’ spouses and dependents, “the actual number of individuals whose personal information” may have been stolen by identity thieves is “significantly larger,” found the IG’s office.
(Note: Do not confuse tax record transcripts with exact copies of tax returns. There are times when you need an exact copy of a previously filed and processed tax return with all attachments, including your Form W-2. Exact copies of tax returns can only be ordered from the IRS by mail.)
On May 21, 2015, the IRS temporarily removed the Get Transcript application from its website after discovering the breach. “The IRS believes that some of this information may have been gathered to file fraudulent tax returns,” stated the report.
In a memo attached to the IG’s report, Debra Holland, IRS commissioner of the wage and investment division, stated, “Criminals are becoming increasingly sophisticated and are gathering vast amounts of personal information as the result of data breaches at sources outside the IRS,” adding that those criminals use the information to “impersonate their victims [in order to] obtain the tax return and account information of the legitimate taxpayer.”
Fraudulent tax refunds are a major contributor to the ever-widening U.S. tax gap, which costs taxpayers over $350 billion every year.
IRS Did too Little to Help Targeted Taxpayers
So, what did the IRS do to help those taxpayers whose personal accounts were hacked? Far from enough, according to the report.
For example, the IRS failed to offer free credit monitoring or an Identity Protection Personal Identification Number (IP PIN) to 79,122 individuals whose tax accounts were identified as definitely involved in an attempted unauthorized access.
An IP PIN is a number assigned by the IRS to eligible taxpayers to help them prevent the misuse of their Social Security number on fraudulent federal income tax returns.
In its response letter, the IRS told the IG that it did not offer free credit monitoring because the data thieves apparently got the taxpayers’ personal information, including Social Security numbers “from sources outside the IRS.”
The inspector general, however, found that excuse bit lame.
“All individuals whose accounts were targeted through the Get Transcript application should receive the same protection,” wrote the IG, “because they are at an increased risk of having an identity thief file a fraudulent tax return using their personal information.”
As to why it failed to issue IP PIN numbers to the 79,122 taxpayers whose Social Security numbers had been used to file fraudulent tax returns, the IRS responded that it considered the IP PINs to be “just one tool in its efforts to combat identity theft.”
Nope. While the IRS called it a reason, the inspector general called it an excuse and it didn’t fly, either.
“Unfortunately,” the IG stated, “the lack of prompt action on this issue leaves the 79,122 taxpayers whose accounts were targeted at an increased risk of an identity thief filing a fraudulent tax return using their personal information.”
Congressman Asks IRS, ‘Why No Einstein Yet?’
According to Sen. Ron Johnson (R-Wisconsin), chairman of the Homeland Security and Governmental Affairs Committee, the IRS could have eliminated many if not all of its data security problems if the agency had implemented the sophisticated security system called Einstein.
In a September 8, 2016 letter to embattled IRS commissioner John Koskinen, Sen. Johnson slammed the agency’s “apparent reluctance” to implement Einstein. Under the Federal Information Security Modernization Act of 2014 (FISMA), all federal agencies are required to fully implement Einstein by December 18, 2016.
“The IRS’s refusal to adopt the Einstein system is very concerning due to the vast amounts of personal data stored by the agency, as well as its recent security breaches,” wrote Johnson. “As you know, last year the IRS suffered a substantial breach. However, the DHS recently told my committee staff that the IRS is either unable or unwilling to implement the statutorily required mandates of integrating all levels of the Einstein network protection tools on the IRS systems and for all IRS data.”
However, the IRS stated it had already implemented two of the three required phases of installing Einstein, and planned to finish the final phase in time to meet the December 18 deadline. “This remains a priority area even as the IRS budget has declined by $900 million since 2010,” stated the IRS.
What Else Will the IRS Do?
As a result of the inspector general’s report, the IRS did agree to take some positive steps related to the Get Transcripts data thefts breach, including:
Improving the notification letters it sends to taxpayers whose personal information might have been improperly accessed or stolen
To develop and implement improve the methods it uses to identify taxpayers impacted by the Get Transcripts breach
“Our review of IRS issuance of notification letters identified that the letters did not always provide sufficient information to identify dependents who may have been listed on accessed transcripts,” stated the IG’s report. “Other letters did not provide the correct address for the credit bureau to be contacted for free credit monitoring. In addition, duplicate letters were mailed to some taxpayers.”